Slashdot Mirror
Mac OS X Users Vulnerable To Major Java Flaw
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.
You're absolutely right about that. Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.
The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...
I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology.
try the 'say' invoking applet by Landon Fuller: http://is.gd/BpBp. That scared the crap out of me... what if it had invoked 'rm -rf ~'?
Show a man some news, distract him for an hour. Show a man some mod points, distract him for the rest of his life.
Does it matter? If the JVM has access to the filesystem and the network, that's all a virus writer needs.
Very similar here.
At home, I had removed all traces of Java like eons ago. Never had a problem. Only OO.o occasionally complains that there is no Java installed, but no crucial functionality is affected.
In office, one of the corporate portals uses ActiveX and Java. Though Java applet is used apparently only during authentication, it still requires Java. (IOW, puny 20K applet wastes countless megabytes/gigabytes of disk space on hundred desktops.) Otherwise - no Java in sight.
All hope abandon ye who enter here.
In "the oldun days", computers used to come with books, instruction manuals, telling you how to use them. Nower days, OS vendors will jump through hoops to try and ensure that their users Do Not Have To Learn A God Damn Thing(tm)... and in some instances, inconsistent user interfaces actually prohibit learning (although I wouldn't call this common case). And this is the result.
I'm not suggesting people should have to know all the nuts and bolts of the internals, but I'm sure there's a middle ground so this culture of "our users are stupid, we must protect their tiny brains" can be vanquished.
(this is not limited to Apple/OSX by any means, although they do appear to me to be worse for it, this gap is closing fast)
The revolution will not be televised... but it will have a page on Wikipedia
Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.
: ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.
The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.
But, because of this standardization, the internal development staff only needs to target one defined platform, they aren't really worried about cross-platform support.
This works really well as a way to cut costs *for the IT department* in the short term. As to whether it cuts costs for the company as a whole (there's the lost productivity involved in enforcing a standard install that you alluded to, and the lack of choice of tools), is another matter, and I'm sure varies with the company/tech involved. Obviously some degree of standardisation is required when managing large numbers of computers, so I'd happily concede that point.
But there is a bigger issue related to this strategy in the long term. In the long term, targeting one platform exclusively leads to the production of tools which are tied tighter and tighter to that platform. So it means you can never switch to a competitor; you can't even consider switching to a competitor unless you're willing to ditch all the internal software that you've built up which will only work on version X of system X. It becomes simply impossible for your business to even think about switching. You might even find that moving to a new version of an operating system has significant costs which you had not anticipated (an XP to Vista migration for example, or IE 6 to IE 8). These are not the normal costs of doing business, they are the costs of doing business if you choose to lock yourself too tightly to one platform.
There is a reason that Microsoft pushed things like Active-X, .NET and IE for web apps, Sun pushes Java everywhere, Apple encourages web pages made for iPhones, etc. It is to tie developers/companies in to using just their products, and it is in the long-term interests of the tool provider, not the company using the tools to work with.
Using web apps for internal software is a good way out of this conundrum, so long as you do not target a specific platform with them. Otherwise, you may as well be writing binary software tied to a specific version of one OS - the end result is the same - lock-in. I understand completely why, in the real world, these decisions are made, but if you look at the situation rationally they are not good investments of time/money over the long-term, and they undermine the very reasons for writing software as a web application in the first place.
Frak, someone always has to make this post, don't they?
Of course OS X has security flaws: it's a modern, general purpose operating system.
The fact remains that by many metrics it is much more secure than Windows. For one, there are no where near the number of malware in the wild targeting OS X as there are for Windows. Most people who run OS X have never, ever had to worry about contracting a virus, trojan, or worm. That is not the same thing as saying they never will, but it is a remarkable track record.
I am concerned about Apple's slow response to newly identified flaws. Their lack of candor in discussing vulnerabilities, their potential impact on the platform, or details of its remediation in patches' release notes is also worrisome. They need to pick up their game if they want to keep that track record as the platform expands.
obviously no deficiencies vs. no obvious deficiencies